CVE-2024-10569

Name of the Vulnerable Software and Affected Versions gradio-app/gradio version git 98cbcae

Description A vulnerability in the dataframe component of gradio-app/gradio allows for a zip bomb attack. The component uses pd.read csv to process input values, which can accept compressed files. An attacker can exploit this by uploading a maliciously crafted zip bomb, leading to a server crash and causing a denial of service.

Recommendations As a temporary workaround, consider disabling the pd.read csv function until a patch is available. Restrict access to the dataframe component to minimize the risk of exploitation. Avoid using compressed files in the input values for the dataframe component until the issue is resolved.